CVE-2025-59163

CVE-2025-59163 is a low-severity vulnerability with a CVSS 4.0 base score of 2.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-350.

Key facts

Description

vet is an open source software supply chain security tool. Versions 1.12.4 and below are vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation. Data from the vet scan sqlite3 database may be exposed to remote attackers when vet is used as an MCP server in SSE mode with default ports through the sqlite3 query MCP tool. This issue is fixed in version 1.12.5.

Frequently asked questions

What is CVE-2025-59163?
vet is an open source software supply chain security tool. Versions 1.12.4 and below are vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation. Data from the vet scan sqlite3 database may be exposed to remote attackers when vet is used as an MCP server in SSE mode with default ports through the sqlite3 query MCP tool. This issue is fixed in version 1.12.5.
How severe is CVE-2025-59163?
CVE-2025-59163 has a CVSS 4.0 base score of 2.1, rated low severity.
Is CVE-2025-59163 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (30th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2025-59163?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2025-59163 have an EU (EUVD) identifier?
Yes. CVE-2025-59163 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-31583.
When was CVE-2025-59163 published?
CVE-2025-59163 was published on 2025-09-29 and last updated on 2026-06-17.

References

Other CWE-350 vulnerabilities

Browse all CWE-350 vulnerabilities →